Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
Phishing Attack Techniques
Social Media Phishing
On your Facebook profile or LinkedIn profile, you can find: Name, Date of Birth, Location, Workplace, Interests, Hobbies, Skills, your Relationship Status, Telephone Number, Email Address and Favorite Food. This is everything a Cybercriminal needs in order to fool you into thinking that the message or email is legitimate.
Link Manipulation
Most methods of phishing use some form of deception designed to make a link in an email appear to belong to the spoofed organization or person. Misspelled URLs or the use of subdomains are common tricks used by phishers. Many email clients or web browsers will show previews of where a link will take the user in the bottom left of the screen or while hovering the mouse cursor over a link.
Spear Phishing
Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information (social engineering) about their targets to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks.
Clone Phishing
A type of phishing attack whereby a legitimate, and previously delivered email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.
Voice Phishing
Voice phishing is the criminal practice of using social engineering over the telephone system to gain access to personal and financial information
from the public for the purpose of financial reward. Sometimes referred to as ‘vishing’, Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Ways to defend against phishing ?
- Educate your employees and conduct training sessions with mock phishing scenarios.
- Convert HTML email into text only email messages or disable HTML email messages.
- Deploy a SPAM filter that detects viruses, blank senders, etc.
- Deploy a web filter to block malicious websites.
- Keep all systems current with the latest security patches and updates.
- Encrypt all sensitive company information.
- Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
- Develop a security policy that includes but isn’t limited to password expiration and complexity.
- Require encryption for employees that are telecommuting.
Summary
Its attacks remain one of the major threats to individuals and organizations to date. Often phishers exploit human vulnerabilities in addition to favoring technological conditions (i.e., technical vulnerabilities). It has been identified that age, gender, internet addiction, user stress, and many other attributes affect the susceptibility to phishing between people.
[…] Phishing emails, malicious downloads, and links that look legitimate as points of entry. […]